Engage POWER8 AES support.
[openssl.git] / crypto / evp / e_aes.c
1 /* ====================================================================
2  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer. 
10  *
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in
13  *    the documentation and/or other materials provided with the
14  *    distribution.
15  *
16  * 3. All advertising materials mentioning features or use of this
17  *    software must display the following acknowledgment:
18  *    "This product includes software developed by the OpenSSL Project
19  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20  *
21  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22  *    endorse or promote products derived from this software without
23  *    prior written permission. For written permission, please contact
24  *    openssl-core@openssl.org.
25  *
26  * 5. Products derived from this software may not be called "OpenSSL"
27  *    nor may "OpenSSL" appear in their names without prior written
28  *    permission of the OpenSSL Project.
29  *
30  * 6. Redistributions of any form whatsoever must retain the following
31  *    acknowledgment:
32  *    "This product includes software developed by the OpenSSL Project
33  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34  *
35  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
39  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  * ====================================================================
48  *
49  */
50
51 #define OPENSSL_FIPSAPI
52
53 #include <openssl/opensslconf.h>
54 #ifndef OPENSSL_NO_AES
55 #include <openssl/evp.h>
56 #include <openssl/err.h>
57 #include <string.h>
58 #include <assert.h>
59 #include <openssl/aes.h>
60 #include "evp_locl.h"
61 #include "modes_lcl.h"
62 #include <openssl/rand.h>
63
64 typedef struct
65         {
66         union { double align; AES_KEY ks; } ks;
67         block128_f block;
68         union {
69                 cbc128_f cbc;
70                 ctr128_f ctr;
71         } stream;
72         } EVP_AES_KEY;
73
74 typedef struct
75         {
76         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
77         int key_set;            /* Set if key initialised */
78         int iv_set;             /* Set if an iv is set */
79         GCM128_CONTEXT gcm;
80         unsigned char *iv;      /* Temporary IV store */
81         int ivlen;              /* IV length */
82         int taglen;
83         int iv_gen;             /* It is OK to generate IVs */
84         int tls_aad_len;        /* TLS AAD length */
85         ctr128_f ctr;
86         } EVP_AES_GCM_CTX;
87
88 typedef struct
89         {
90         union { double align; AES_KEY ks; } ks1, ks2;   /* AES key schedules to use */
91         XTS128_CONTEXT xts;
92         void     (*stream)(const unsigned char *in,
93                         unsigned char *out, size_t length,
94                         const AES_KEY *key1, const AES_KEY *key2,
95                         const unsigned char iv[16]);
96         } EVP_AES_XTS_CTX;
97
98 typedef struct
99         {
100         union { double align; AES_KEY ks; } ks; /* AES key schedule to use */
101         int key_set;            /* Set if key initialised */
102         int iv_set;             /* Set if an iv is set */
103         int tag_set;            /* Set if tag is valid */
104         int len_set;            /* Set if message length set */
105         int L, M;               /* L and M parameters from RFC3610 */
106         CCM128_CONTEXT ccm;
107         ccm128_f str;
108         } EVP_AES_CCM_CTX;
109
110 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
111
112 #ifdef VPAES_ASM
113 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
114                         AES_KEY *key);
115 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
116                         AES_KEY *key);
117
118 void vpaes_encrypt(const unsigned char *in, unsigned char *out,
119                         const AES_KEY *key);
120 void vpaes_decrypt(const unsigned char *in, unsigned char *out,
121                         const AES_KEY *key);
122
123 void vpaes_cbc_encrypt(const unsigned char *in,
124                         unsigned char *out,
125                         size_t length,
126                         const AES_KEY *key,
127                         unsigned char *ivec, int enc);
128 #endif
129 #ifdef BSAES_ASM
130 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
131                         size_t length, const AES_KEY *key,
132                         unsigned char ivec[16], int enc);
133 void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
134                         size_t len, const AES_KEY *key,
135                         const unsigned char ivec[16]);
136 void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
137                         size_t len, const AES_KEY *key1,
138                         const AES_KEY *key2, const unsigned char iv[16]);
139 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
140                         size_t len, const AES_KEY *key1,
141                         const AES_KEY *key2, const unsigned char iv[16]);
142 #endif
143 #ifdef AES_CTR_ASM
144 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
145                         size_t blocks, const AES_KEY *key,
146                         const unsigned char ivec[AES_BLOCK_SIZE]);
147 #endif
148 #ifdef AES_XTS_ASM
149 void AES_xts_encrypt(const char *inp,char *out,size_t len,
150                         const AES_KEY *key1, const AES_KEY *key2,
151                         const unsigned char iv[16]);
152 void AES_xts_decrypt(const char *inp,char *out,size_t len,
153                         const AES_KEY *key1, const AES_KEY *key2,
154                         const unsigned char iv[16]);
155 #endif
156
157 #if     defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
158 extern unsigned int OPENSSL_ppccap_P;
159 # ifdef VPAES_ASM
160 #  define VPAES_CAPABLE (OPENSSL_ppccap_P&(1<<1))
161 # endif
162 # define HWAES_CAPABLE  (OPENSSL_ppccap_P&(1<<2))
163 # define HWAES_set_encrypt_key aes_p8_set_encrypt_key
164 # define HWAES_set_decrypt_key aes_p8_set_decrypt_key
165 # define HWAES_encrypt aes_p8_encrypt
166 # define HWAES_decrypt aes_p8_decrypt
167 # define HWAES_cbc_encrypt aes_p8_cbc_encrypt
168 #endif
169
170 #if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
171         ((defined(__i386)       || defined(__i386__)    || \
172           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
173         defined(__x86_64)       || defined(__x86_64__)  || \
174         defined(_M_AMD64)       || defined(_M_X64)      || \
175         defined(__INTEL__)                              )
176
177 extern unsigned int OPENSSL_ia32cap_P[];
178
179 #ifdef VPAES_ASM
180 #define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
181 #endif
182 #ifdef BSAES_ASM
183 #define BSAES_CAPABLE   VPAES_CAPABLE
184 #endif
185 /*
186  * AES-NI section
187  */
188 #define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
189
190 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
191                         AES_KEY *key);
192 int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
193                         AES_KEY *key);
194
195 void aesni_encrypt(const unsigned char *in, unsigned char *out,
196                         const AES_KEY *key);
197 void aesni_decrypt(const unsigned char *in, unsigned char *out,
198                         const AES_KEY *key);
199
200 void aesni_ecb_encrypt(const unsigned char *in,
201                         unsigned char *out,
202                         size_t length,
203                         const AES_KEY *key,
204                         int enc);
205 void aesni_cbc_encrypt(const unsigned char *in,
206                         unsigned char *out,
207                         size_t length,
208                         const AES_KEY *key,
209                         unsigned char *ivec, int enc);
210
211 void aesni_ctr32_encrypt_blocks(const unsigned char *in,
212                         unsigned char *out,
213                         size_t blocks,
214                         const void *key,
215                         const unsigned char *ivec);
216
217 void aesni_xts_encrypt(const unsigned char *in,
218                         unsigned char *out,
219                         size_t length,
220                         const AES_KEY *key1, const AES_KEY *key2,
221                         const unsigned char iv[16]);
222
223 void aesni_xts_decrypt(const unsigned char *in,
224                         unsigned char *out,
225                         size_t length,
226                         const AES_KEY *key1, const AES_KEY *key2,
227                         const unsigned char iv[16]);
228
229 void aesni_ccm64_encrypt_blocks (const unsigned char *in,
230                         unsigned char *out,
231                         size_t blocks,
232                         const void *key,
233                         const unsigned char ivec[16],
234                         unsigned char cmac[16]);
235
236 void aesni_ccm64_decrypt_blocks (const unsigned char *in,
237                         unsigned char *out,
238                         size_t blocks,
239                         const void *key,
240                         const unsigned char ivec[16],
241                         unsigned char cmac[16]);
242
243 #if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
244 size_t aesni_gcm_encrypt(const unsigned char *in,
245                         unsigned char *out,
246                         size_t len,
247                         const void *key,
248                         unsigned char ivec[16],
249                         u64 *Xi);
250 #define AES_gcm_encrypt aesni_gcm_encrypt
251 size_t aesni_gcm_decrypt(const unsigned char *in,
252                         unsigned char *out,
253                         size_t len,
254                         const void *key,
255                         unsigned char ivec[16],
256                         u64 *Xi);
257 #define AES_gcm_decrypt aesni_gcm_decrypt
258 void gcm_ghash_avx(u64 Xi[2],const u128 Htable[16],const u8 *in,size_t len);
259 #define AES_GCM_ASM(gctx)       (gctx->ctr==aesni_ctr32_encrypt_blocks && \
260                                  gctx->gcm.ghash==gcm_ghash_avx)
261 #define AES_GCM_ASM2(gctx)      (gctx->gcm.block==(block128_f)aesni_encrypt && \
262                                  gctx->gcm.ghash==gcm_ghash_avx)
263 #undef AES_GCM_ASM2             /* minor size optimization */
264 #endif
265
266 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
267                    const unsigned char *iv, int enc)
268         {
269         int ret, mode;
270         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
271
272         mode = ctx->cipher->flags & EVP_CIPH_MODE;
273         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
274             && !enc)
275                 { 
276                 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
277                 dat->block      = (block128_f)aesni_decrypt;
278                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
279                                         (cbc128_f)aesni_cbc_encrypt :
280                                         NULL;
281                 }
282         else    {
283                 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
284                 dat->block      = (block128_f)aesni_encrypt;
285                 if (mode==EVP_CIPH_CBC_MODE)
286                         dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
287                 else if (mode==EVP_CIPH_CTR_MODE)
288                         dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
289                 else
290                         dat->stream.cbc = NULL;
291                 }
292
293         if(ret < 0)
294                 {
295                 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
296                 return 0;
297                 }
298
299         return 1;
300         }
301
302 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
303         const unsigned char *in, size_t len)
304 {
305         aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
306
307         return 1;
308 }
309
310 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
311         const unsigned char *in, size_t len)
312 {
313         size_t  bl = ctx->cipher->block_size;
314
315         if (len<bl)     return 1;
316
317         aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
318
319         return 1;
320 }
321
322 #define aesni_ofb_cipher aes_ofb_cipher
323 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
324         const unsigned char *in,size_t len);
325
326 #define aesni_cfb_cipher aes_cfb_cipher
327 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
328         const unsigned char *in,size_t len);
329
330 #define aesni_cfb8_cipher aes_cfb8_cipher
331 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
332         const unsigned char *in,size_t len);
333
334 #define aesni_cfb1_cipher aes_cfb1_cipher
335 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
336         const unsigned char *in,size_t len);
337
338 #define aesni_ctr_cipher aes_ctr_cipher
339 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
340                 const unsigned char *in, size_t len);
341
342 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
343                         const unsigned char *iv, int enc)
344         {
345         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
346         if (!iv && !key)
347                 return 1;
348         if (key)
349                 {
350                 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
351                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
352                                 (block128_f)aesni_encrypt);
353                 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
354                 /* If we have an iv can set it directly, otherwise use
355                  * saved IV.
356                  */
357                 if (iv == NULL && gctx->iv_set)
358                         iv = gctx->iv;
359                 if (iv)
360                         {
361                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
362                         gctx->iv_set = 1;
363                         }
364                 gctx->key_set = 1;
365                 }
366         else
367                 {
368                 /* If key set use IV, otherwise copy */
369                 if (gctx->key_set)
370                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
371                 else
372                         memcpy(gctx->iv, iv, gctx->ivlen);
373                 gctx->iv_set = 1;
374                 gctx->iv_gen = 0;
375                 }
376         return 1;
377         }
378
379 #define aesni_gcm_cipher aes_gcm_cipher
380 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
381                 const unsigned char *in, size_t len);
382
383 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
384                         const unsigned char *iv, int enc)
385         {
386         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
387         if (!iv && !key)
388                 return 1;
389
390         if (key)
391                 {
392                 /* key_len is two AES keys */
393                 if (enc)
394                         {
395                         aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
396                         xctx->xts.block1 = (block128_f)aesni_encrypt;
397                         xctx->stream = aesni_xts_encrypt;
398                         }
399                 else
400                         {
401                         aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
402                         xctx->xts.block1 = (block128_f)aesni_decrypt;
403                         xctx->stream = aesni_xts_decrypt;
404                         }
405
406                 aesni_set_encrypt_key(key + ctx->key_len/2,
407                                                 ctx->key_len * 4, &xctx->ks2.ks);
408                 xctx->xts.block2 = (block128_f)aesni_encrypt;
409
410                 xctx->xts.key1 = &xctx->ks1;
411                 }
412
413         if (iv)
414                 {
415                 xctx->xts.key2 = &xctx->ks2;
416                 memcpy(ctx->iv, iv, 16);
417                 }
418
419         return 1;
420         }
421
422 #define aesni_xts_cipher aes_xts_cipher
423 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
424                 const unsigned char *in, size_t len);
425
426 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
427                         const unsigned char *iv, int enc)
428         {
429         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
430         if (!iv && !key)
431                 return 1;
432         if (key)
433                 {
434                 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
435                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
436                                         &cctx->ks, (block128_f)aesni_encrypt);
437                 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
438                                 (ccm128_f)aesni_ccm64_decrypt_blocks;
439                 cctx->key_set = 1;
440                 }
441         if (iv)
442                 {
443                 memcpy(ctx->iv, iv, 15 - cctx->L);
444                 cctx->iv_set = 1;
445                 }
446         return 1;
447         }
448
449 #define aesni_ccm_cipher aes_ccm_cipher
450 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
451                 const unsigned char *in, size_t len);
452
453 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
454 static const EVP_CIPHER aesni_##keylen##_##mode = { \
455         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
456         flags|EVP_CIPH_##MODE##_MODE,   \
457         aesni_init_key,                 \
458         aesni_##mode##_cipher,          \
459         NULL,                           \
460         sizeof(EVP_AES_KEY),            \
461         NULL,NULL,NULL,NULL }; \
462 static const EVP_CIPHER aes_##keylen##_##mode = { \
463         nid##_##keylen##_##nmode,blocksize,     \
464         keylen/8,ivlen, \
465         flags|EVP_CIPH_##MODE##_MODE,   \
466         aes_init_key,                   \
467         aes_##mode##_cipher,            \
468         NULL,                           \
469         sizeof(EVP_AES_KEY),            \
470         NULL,NULL,NULL,NULL }; \
471 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
472 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
473
474 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
475 static const EVP_CIPHER aesni_##keylen##_##mode = { \
476         nid##_##keylen##_##mode,blocksize, \
477         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
478         flags|EVP_CIPH_##MODE##_MODE,   \
479         aesni_##mode##_init_key,        \
480         aesni_##mode##_cipher,          \
481         aes_##mode##_cleanup,           \
482         sizeof(EVP_AES_##MODE##_CTX),   \
483         NULL,NULL,aes_##mode##_ctrl,NULL }; \
484 static const EVP_CIPHER aes_##keylen##_##mode = { \
485         nid##_##keylen##_##mode,blocksize, \
486         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
487         flags|EVP_CIPH_##MODE##_MODE,   \
488         aes_##mode##_init_key,          \
489         aes_##mode##_cipher,            \
490         aes_##mode##_cleanup,           \
491         sizeof(EVP_AES_##MODE##_CTX),   \
492         NULL,NULL,aes_##mode##_ctrl,NULL }; \
493 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
494 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
495
496 #elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
497
498 #include "sparc_arch.h"
499
500 extern unsigned int OPENSSL_sparcv9cap_P[];
501
502 #define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
503
504 void    aes_t4_set_encrypt_key (const unsigned char *key, int bits,
505                                 AES_KEY *ks);
506 void    aes_t4_set_decrypt_key (const unsigned char *key, int bits,
507                                 AES_KEY *ks);
508 void    aes_t4_encrypt (const unsigned char *in, unsigned char *out,
509                                 const AES_KEY *key);
510 void    aes_t4_decrypt (const unsigned char *in, unsigned char *out,
511                                 const AES_KEY *key);
512 /*
513  * Key-length specific subroutines were chosen for following reason.
514  * Each SPARC T4 core can execute up to 8 threads which share core's
515  * resources. Loading as much key material to registers allows to
516  * minimize references to shared memory interface, as well as amount
517  * of instructions in inner loops [much needed on T4]. But then having
518  * non-key-length specific routines would require conditional branches
519  * either in inner loops or on subroutines' entries. Former is hardly
520  * acceptable, while latter means code size increase to size occupied
521  * by multiple key-length specfic subroutines, so why fight?
522  */
523 void    aes128_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
524                                 size_t len, const AES_KEY *key,
525                                 unsigned char *ivec);
526 void    aes128_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
527                                 size_t len, const AES_KEY *key,
528                                 unsigned char *ivec);
529 void    aes192_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
530                                 size_t len, const AES_KEY *key,
531                                 unsigned char *ivec);
532 void    aes192_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
533                                 size_t len, const AES_KEY *key,
534                                 unsigned char *ivec);
535 void    aes256_t4_cbc_encrypt (const unsigned char *in, unsigned char *out,
536                                 size_t len, const AES_KEY *key,
537                                 unsigned char *ivec);
538 void    aes256_t4_cbc_decrypt (const unsigned char *in, unsigned char *out,
539                                 size_t len, const AES_KEY *key,
540                                 unsigned char *ivec);
541 void    aes128_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
542                                 size_t blocks, const AES_KEY *key,
543                                 unsigned char *ivec);
544 void    aes192_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
545                                 size_t blocks, const AES_KEY *key,
546                                 unsigned char *ivec);
547 void    aes256_t4_ctr32_encrypt (const unsigned char *in, unsigned char *out,
548                                 size_t blocks, const AES_KEY *key,
549                                 unsigned char *ivec);
550 void    aes128_t4_xts_encrypt (const unsigned char *in, unsigned char *out,
551                                 size_t blocks, const AES_KEY *key1,
552                                 const AES_KEY *key2, const unsigned char *ivec);
553 void    aes128_t4_xts_decrypt (const unsigned char *in, unsigned char *out,
554                                 size_t blocks, const AES_KEY *key1,
555                                 const AES_KEY *key2, const unsigned char *ivec);
556 void    aes256_t4_xts_encrypt (const unsigned char *in, unsigned char *out,
557                                 size_t blocks, const AES_KEY *key1,
558                                 const AES_KEY *key2, const unsigned char *ivec);
559 void    aes256_t4_xts_decrypt (const unsigned char *in, unsigned char *out,
560                                 size_t blocks, const AES_KEY *key1,
561                                 const AES_KEY *key2, const unsigned char *ivec);
562
563 static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
564                    const unsigned char *iv, int enc)
565         {
566         int ret, mode, bits;
567         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
568
569         mode = ctx->cipher->flags & EVP_CIPH_MODE;
570         bits = ctx->key_len*8;
571         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
572             && !enc)
573                 {
574                     ret = 0;
575                     aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
576                     dat->block  = (block128_f)aes_t4_decrypt;
577                     switch (bits) {
578                     case 128:
579                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
580                                                 (cbc128_f)aes128_t4_cbc_decrypt :
581                                                 NULL;
582                         break;
583                     case 192:
584                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
585                                                 (cbc128_f)aes192_t4_cbc_decrypt :
586                                                 NULL;
587                         break;
588                     case 256:
589                         dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
590                                                 (cbc128_f)aes256_t4_cbc_decrypt :
591                                                 NULL;
592                         break;
593                     default:
594                         ret = -1;
595                     }
596                 }
597         else    {
598                     ret = 0;
599                     aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
600                     dat->block  = (block128_f)aes_t4_encrypt;
601                     switch (bits) {
602                     case 128:
603                         if (mode==EVP_CIPH_CBC_MODE)
604                                 dat->stream.cbc = (cbc128_f)aes128_t4_cbc_encrypt;
605                         else if (mode==EVP_CIPH_CTR_MODE)
606                                 dat->stream.ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
607                         else
608                                 dat->stream.cbc = NULL;
609                         break;
610                     case 192:
611                         if (mode==EVP_CIPH_CBC_MODE)
612                                 dat->stream.cbc = (cbc128_f)aes192_t4_cbc_encrypt;
613                         else if (mode==EVP_CIPH_CTR_MODE)
614                                 dat->stream.ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
615                         else
616                                 dat->stream.cbc = NULL;
617                         break;
618                     case 256:
619                         if (mode==EVP_CIPH_CBC_MODE)
620                                 dat->stream.cbc = (cbc128_f)aes256_t4_cbc_encrypt;
621                         else if (mode==EVP_CIPH_CTR_MODE)
622                                 dat->stream.ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
623                         else
624                                 dat->stream.cbc = NULL;
625                         break;
626                     default:
627                         ret = -1;
628                     }
629                 }
630
631         if(ret < 0)
632                 {
633                 EVPerr(EVP_F_AES_T4_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
634                 return 0;
635                 }
636
637         return 1;
638         }
639
640 #define aes_t4_cbc_cipher aes_cbc_cipher
641 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
642         const unsigned char *in, size_t len);
643
644 #define aes_t4_ecb_cipher aes_ecb_cipher 
645 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
646         const unsigned char *in, size_t len);
647
648 #define aes_t4_ofb_cipher aes_ofb_cipher
649 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
650         const unsigned char *in,size_t len);
651
652 #define aes_t4_cfb_cipher aes_cfb_cipher
653 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
654         const unsigned char *in,size_t len);
655
656 #define aes_t4_cfb8_cipher aes_cfb8_cipher
657 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
658         const unsigned char *in,size_t len);
659
660 #define aes_t4_cfb1_cipher aes_cfb1_cipher
661 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
662         const unsigned char *in,size_t len);
663
664 #define aes_t4_ctr_cipher aes_ctr_cipher
665 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
666                 const unsigned char *in, size_t len);
667
668 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
669                         const unsigned char *iv, int enc)
670         {
671         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
672         if (!iv && !key)
673                 return 1;
674         if (key)
675                 {
676                 int bits = ctx->key_len * 8;
677                 aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
678                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
679                                 (block128_f)aes_t4_encrypt);
680                 switch (bits) {
681                     case 128:
682                         gctx->ctr = (ctr128_f)aes128_t4_ctr32_encrypt;
683                         break;
684                     case 192:
685                         gctx->ctr = (ctr128_f)aes192_t4_ctr32_encrypt;
686                         break;
687                     case 256:
688                         gctx->ctr = (ctr128_f)aes256_t4_ctr32_encrypt;
689                         break;
690                     default:
691                         return 0;
692                 }
693                 /* If we have an iv can set it directly, otherwise use
694                  * saved IV.
695                  */
696                 if (iv == NULL && gctx->iv_set)
697                         iv = gctx->iv;
698                 if (iv)
699                         {
700                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
701                         gctx->iv_set = 1;
702                         }
703                 gctx->key_set = 1;
704                 }
705         else
706                 {
707                 /* If key set use IV, otherwise copy */
708                 if (gctx->key_set)
709                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
710                 else
711                         memcpy(gctx->iv, iv, gctx->ivlen);
712                 gctx->iv_set = 1;
713                 gctx->iv_gen = 0;
714                 }
715         return 1;
716         }
717
718 #define aes_t4_gcm_cipher aes_gcm_cipher
719 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
720                 const unsigned char *in, size_t len);
721
722 static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
723                         const unsigned char *iv, int enc)
724         {
725         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
726         if (!iv && !key)
727                 return 1;
728
729         if (key)
730                 {
731                 int bits = ctx->key_len * 4;
732                 xctx->stream = NULL;
733                 /* key_len is two AES keys */
734                 if (enc)
735                         {
736                         aes_t4_set_encrypt_key(key, bits, &xctx->ks1.ks);
737                         xctx->xts.block1 = (block128_f)aes_t4_encrypt;
738                         switch (bits) {
739                             case 128:
740                                 xctx->stream = aes128_t4_xts_encrypt;
741                                 break;
742 #if 0 /* not yet */
743                             case 192:
744                                 xctx->stream = aes192_t4_xts_encrypt;
745                                 break;
746 #endif
747                             case 256:
748                                 xctx->stream = aes256_t4_xts_encrypt;
749                                 break;
750                             default:
751                                 return 0;
752                             }
753                         }
754                 else
755                         {
756                         aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
757                         xctx->xts.block1 = (block128_f)aes_t4_decrypt;
758                         switch (bits) {
759                             case 128:
760                                 xctx->stream = aes128_t4_xts_decrypt;
761                                 break;
762 #if 0 /* not yet */
763                             case 192:
764                                 xctx->stream = aes192_t4_xts_decrypt;
765                                 break;
766 #endif
767                             case 256:
768                                 xctx->stream = aes256_t4_xts_decrypt;
769                                 break;
770                             default:
771                                 return 0;
772                             }
773                         }
774
775                 aes_t4_set_encrypt_key(key + ctx->key_len/2,
776                                                 ctx->key_len * 4, &xctx->ks2.ks);
777                 xctx->xts.block2 = (block128_f)aes_t4_encrypt;
778
779                 xctx->xts.key1 = &xctx->ks1;
780                 }
781
782         if (iv)
783                 {
784                 xctx->xts.key2 = &xctx->ks2;
785                 memcpy(ctx->iv, iv, 16);
786                 }
787
788         return 1;
789         }
790
791 #define aes_t4_xts_cipher aes_xts_cipher
792 static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
793                 const unsigned char *in, size_t len);
794
795 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
796                         const unsigned char *iv, int enc)
797         {
798         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
799         if (!iv && !key)
800                 return 1;
801         if (key)
802                 {
803                 int bits = ctx->key_len * 8;
804                 aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
805                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
806                                         &cctx->ks, (block128_f)aes_t4_encrypt);
807 #if 0 /* not yet */
808                 switch (bits) {
809                     case 128:
810                         cctx->str = enc?(ccm128_f)aes128_t4_ccm64_encrypt :
811                                 (ccm128_f)ae128_t4_ccm64_decrypt;
812                         break;
813                     case 192:
814                         cctx->str = enc?(ccm128_f)aes192_t4_ccm64_encrypt :
815                                 (ccm128_f)ae192_t4_ccm64_decrypt;
816                         break;
817                     case 256:
818                         cctx->str = enc?(ccm128_f)aes256_t4_ccm64_encrypt :
819                                 (ccm128_f)ae256_t4_ccm64_decrypt;
820                         break;
821                     default:
822                         return 0;
823                     }
824 #endif
825                 cctx->key_set = 1;
826                 }
827         if (iv)
828                 {
829                 memcpy(ctx->iv, iv, 15 - cctx->L);
830                 cctx->iv_set = 1;
831                 }
832         return 1;
833         }
834
835 #define aes_t4_ccm_cipher aes_ccm_cipher
836 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
837                 const unsigned char *in, size_t len);
838
839 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
840 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
841         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
842         flags|EVP_CIPH_##MODE##_MODE,   \
843         aes_t4_init_key,                \
844         aes_t4_##mode##_cipher,         \
845         NULL,                           \
846         sizeof(EVP_AES_KEY),            \
847         NULL,NULL,NULL,NULL }; \
848 static const EVP_CIPHER aes_##keylen##_##mode = { \
849         nid##_##keylen##_##nmode,blocksize,     \
850         keylen/8,ivlen, \
851         flags|EVP_CIPH_##MODE##_MODE,   \
852         aes_init_key,                   \
853         aes_##mode##_cipher,            \
854         NULL,                           \
855         sizeof(EVP_AES_KEY),            \
856         NULL,NULL,NULL,NULL }; \
857 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
858 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
859
860 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
861 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
862         nid##_##keylen##_##mode,blocksize, \
863         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
864         flags|EVP_CIPH_##MODE##_MODE,   \
865         aes_t4_##mode##_init_key,       \
866         aes_t4_##mode##_cipher,         \
867         aes_##mode##_cleanup,           \
868         sizeof(EVP_AES_##MODE##_CTX),   \
869         NULL,NULL,aes_##mode##_ctrl,NULL }; \
870 static const EVP_CIPHER aes_##keylen##_##mode = { \
871         nid##_##keylen##_##mode,blocksize, \
872         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
873         flags|EVP_CIPH_##MODE##_MODE,   \
874         aes_##mode##_init_key,          \
875         aes_##mode##_cipher,            \
876         aes_##mode##_cleanup,           \
877         sizeof(EVP_AES_##MODE##_CTX),   \
878         NULL,NULL,aes_##mode##_ctrl,NULL }; \
879 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
880 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
881
882 #else
883
884 #define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
885 static const EVP_CIPHER aes_##keylen##_##mode = { \
886         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
887         flags|EVP_CIPH_##MODE##_MODE,   \
888         aes_init_key,                   \
889         aes_##mode##_cipher,            \
890         NULL,                           \
891         sizeof(EVP_AES_KEY),            \
892         NULL,NULL,NULL,NULL }; \
893 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
894 { return &aes_##keylen##_##mode; }
895
896 #define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
897 static const EVP_CIPHER aes_##keylen##_##mode = { \
898         nid##_##keylen##_##mode,blocksize, \
899         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
900         flags|EVP_CIPH_##MODE##_MODE,   \
901         aes_##mode##_init_key,          \
902         aes_##mode##_cipher,            \
903         aes_##mode##_cleanup,           \
904         sizeof(EVP_AES_##MODE##_CTX),   \
905         NULL,NULL,aes_##mode##_ctrl,NULL }; \
906 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
907 { return &aes_##keylen##_##mode; }
908
909 #endif
910
911 #if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
912 #include "arm_arch.h"
913 #if __ARM_ARCH__>=7
914 # if defined(BSAES_ASM)
915 #  define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
916 # endif
917 # define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
918 # define HWAES_set_encrypt_key aes_v8_set_encrypt_key
919 # define HWAES_set_decrypt_key aes_v8_set_decrypt_key
920 # define HWAES_encrypt aes_v8_encrypt
921 # define HWAES_decrypt aes_v8_decrypt
922 # define HWAES_cbc_encrypt aes_v8_cbc_encrypt
923 # define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
924 #endif
925 #endif
926
927 #if defined(HWAES_CAPABLE)
928 int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
929         AES_KEY *key);
930 int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
931         AES_KEY *key);
932 void HWAES_encrypt(const unsigned char *in, unsigned char *out,
933         const AES_KEY *key);
934 void HWAES_decrypt(const unsigned char *in, unsigned char *out,
935         const AES_KEY *key);
936 void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
937         size_t length, const AES_KEY *key,
938         unsigned char *ivec, const int enc);
939 void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
940         size_t len, const AES_KEY *key, const unsigned char ivec[16]);
941 #endif
942
943 #define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
944         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
945         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
946         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
947         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
948         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
949         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
950         BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
951
952 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
953                    const unsigned char *iv, int enc)
954         {
955         int ret, mode;
956         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
957
958         mode = ctx->cipher->flags & EVP_CIPH_MODE;
959         if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
960             && !enc)
961 #ifdef HWAES_CAPABLE
962             if (HWAES_CAPABLE)
963                 {
964                 ret = HWAES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
965                 dat->block      = (block128_f)HWAES_decrypt;
966                 dat->stream.cbc = NULL;
967 #ifdef HWAES_cbc_encrypt
968                 if (mode==EVP_CIPH_CBC_MODE)
969                     dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
970 #endif
971                 }
972             else
973 #endif
974 #ifdef BSAES_CAPABLE
975             if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
976                 {
977                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
978                 dat->block      = (block128_f)AES_decrypt;
979                 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
980                 }
981             else
982 #endif
983 #ifdef VPAES_CAPABLE
984             if (VPAES_CAPABLE)
985                 {
986                 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
987                 dat->block      = (block128_f)vpaes_decrypt;
988                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
989                                         (cbc128_f)vpaes_cbc_encrypt :
990                                         NULL;
991                 }
992             else
993 #endif
994                 {
995                 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks.ks);
996                 dat->block      = (block128_f)AES_decrypt;
997                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
998                                         (cbc128_f)AES_cbc_encrypt :
999                                         NULL;
1000                 }
1001         else
1002 #ifdef HWAES_CAPABLE
1003             if (HWAES_CAPABLE)
1004                 {
1005                 ret = HWAES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
1006                 dat->block      = (block128_f)HWAES_encrypt;
1007                 dat->stream.cbc = NULL;
1008 #ifdef HWAES_cbc_encrypt
1009                 if (mode==EVP_CIPH_CBC_MODE)
1010                     dat->stream.cbc = (cbc128_f)HWAES_cbc_encrypt;
1011                 else
1012 #endif
1013 #ifdef HWAES_ctr32_encrypt_blocks
1014                 if (mode==EVP_CIPH_CTR_MODE)
1015                     dat->stream.ctr = (ctr128_f)HWAES_ctr32_encrypt_blocks;
1016                 else
1017 #endif
1018                 (void)0;        /* terminate potentially open 'else' */
1019                 }
1020             else
1021 #endif
1022 #ifdef BSAES_CAPABLE
1023             if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
1024                 {
1025                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
1026                 dat->block      = (block128_f)AES_encrypt;
1027                 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
1028                 }
1029             else
1030 #endif
1031 #ifdef VPAES_CAPABLE
1032             if (VPAES_CAPABLE)
1033                 {
1034                 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
1035                 dat->block      = (block128_f)vpaes_encrypt;
1036                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
1037                                         (cbc128_f)vpaes_cbc_encrypt :
1038                                         NULL;
1039                 }
1040             else
1041 #endif
1042                 {
1043                 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks.ks);
1044                 dat->block      = (block128_f)AES_encrypt;
1045                 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
1046                                         (cbc128_f)AES_cbc_encrypt :
1047                                         NULL;
1048 #ifdef AES_CTR_ASM
1049                 if (mode==EVP_CIPH_CTR_MODE)
1050                         dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
1051 #endif
1052                 }
1053
1054         if(ret < 0)
1055                 {
1056                 EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
1057                 return 0;
1058                 }
1059
1060         return 1;
1061         }
1062
1063 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1064         const unsigned char *in, size_t len)
1065 {
1066         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1067
1068         if (dat->stream.cbc)
1069                 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
1070         else if (ctx->encrypt)
1071                 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
1072         else
1073                 CRYPTO_cbc128_decrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
1074
1075         return 1;
1076 }
1077
1078 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1079         const unsigned char *in, size_t len)
1080 {
1081         size_t  bl = ctx->cipher->block_size;
1082         size_t  i;
1083         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1084
1085         if (len<bl)     return 1;
1086
1087         for (i=0,len-=bl;i<=len;i+=bl)
1088                 (*dat->block)(in+i,out+i,&dat->ks);
1089
1090         return 1;
1091 }
1092
1093 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1094         const unsigned char *in,size_t len)
1095 {
1096         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1097
1098         CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
1099                         ctx->iv,&ctx->num,dat->block);
1100         return 1;
1101 }
1102
1103 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1104         const unsigned char *in,size_t len)
1105 {
1106         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1107
1108         CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
1109                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1110         return 1;
1111 }
1112
1113 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1114         const unsigned char *in,size_t len)
1115 {
1116         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1117
1118         CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
1119                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1120         return 1;
1121 }
1122
1123 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
1124         const unsigned char *in,size_t len)
1125 {
1126         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1127
1128         if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
1129                 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
1130                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1131                 return 1;
1132         }
1133
1134         while (len>=MAXBITCHUNK) {
1135                 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
1136                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1137                 len-=MAXBITCHUNK;
1138         }
1139         if (len)
1140                 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
1141                         ctx->iv,&ctx->num,ctx->encrypt,dat->block);
1142         
1143         return 1;
1144 }
1145
1146 static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
1147                 const unsigned char *in, size_t len)
1148 {
1149         unsigned int num = ctx->num;
1150         EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
1151
1152         if (dat->stream.ctr)
1153                 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
1154                         ctx->iv,ctx->buf,&num,dat->stream.ctr);
1155         else
1156                 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
1157                         ctx->iv,ctx->buf,&num,dat->block);
1158         ctx->num = (size_t)num;
1159         return 1;
1160 }
1161
1162 BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
1163 BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
1164 BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
1165
1166 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
1167         {
1168         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1169         OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
1170         if (gctx->iv != c->iv)
1171                 OPENSSL_free(gctx->iv);
1172         return 1;
1173         }
1174
1175 /* increment counter (64-bit int) by 1 */
1176 static void ctr64_inc(unsigned char *counter) {
1177         int n=8;
1178         unsigned char  c;
1179
1180         do {
1181                 --n;
1182                 c = counter[n];
1183                 ++c;
1184                 counter[n] = c;
1185                 if (c) return;
1186         } while (n);
1187 }
1188
1189 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1190         {
1191         EVP_AES_GCM_CTX *gctx = c->cipher_data;
1192         switch (type)
1193                 {
1194         case EVP_CTRL_INIT:
1195                 gctx->key_set = 0;
1196                 gctx->iv_set = 0;
1197                 gctx->ivlen = c->cipher->iv_len;
1198                 gctx->iv = c->iv;
1199                 gctx->taglen = -1;
1200                 gctx->iv_gen = 0;
1201                 gctx->tls_aad_len = -1;
1202                 return 1;
1203
1204         case EVP_CTRL_GCM_SET_IVLEN:
1205                 if (arg <= 0)
1206                         return 0;
1207 #ifdef OPENSSL_FIPS
1208                 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1209                                                  && arg < 12)
1210                         return 0;
1211 #endif
1212                 /* Allocate memory for IV if needed */
1213                 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
1214                         {
1215                         if (gctx->iv != c->iv)
1216                                 OPENSSL_free(gctx->iv);
1217                         gctx->iv = OPENSSL_malloc(arg);
1218                         if (!gctx->iv)
1219                                 return 0;
1220                         }
1221                 gctx->ivlen = arg;
1222                 return 1;
1223
1224         case EVP_CTRL_GCM_SET_TAG:
1225                 if (arg <= 0 || arg > 16 || c->encrypt)
1226                         return 0;
1227                 memcpy(c->buf, ptr, arg);
1228                 gctx->taglen = arg;
1229                 return 1;
1230
1231         case EVP_CTRL_GCM_GET_TAG:
1232                 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
1233                         return 0;
1234                 memcpy(ptr, c->buf, arg);
1235                 return 1;
1236
1237         case EVP_CTRL_GCM_SET_IV_FIXED:
1238                 /* Special case: -1 length restores whole IV */
1239                 if (arg == -1)
1240                         {
1241                         memcpy(gctx->iv, ptr, gctx->ivlen);
1242                         gctx->iv_gen = 1;
1243                         return 1;
1244                         }
1245                 /* Fixed field must be at least 4 bytes and invocation field
1246                  * at least 8.
1247                  */
1248                 if ((arg < 4) || (gctx->ivlen - arg) < 8)
1249                         return 0;
1250                 if (arg)
1251                         memcpy(gctx->iv, ptr, arg);
1252                 if (c->encrypt &&
1253                         RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
1254                         return 0;
1255                 gctx->iv_gen = 1;
1256                 return 1;
1257
1258         case EVP_CTRL_GCM_IV_GEN:
1259                 if (gctx->iv_gen == 0 || gctx->key_set == 0)
1260                         return 0;
1261                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1262                 if (arg <= 0 || arg > gctx->ivlen)
1263                         arg = gctx->ivlen;
1264                 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
1265                 /* Invocation field will be at least 8 bytes in size and
1266                  * so no need to check wrap around or increment more than
1267                  * last 8 bytes.
1268                  */
1269                 ctr64_inc(gctx->iv + gctx->ivlen - 8);
1270                 gctx->iv_set = 1;
1271                 return 1;
1272
1273         case EVP_CTRL_GCM_SET_IV_INV:
1274                 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
1275                         return 0;
1276                 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
1277                 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
1278                 gctx->iv_set = 1;
1279                 return 1;
1280
1281         case EVP_CTRL_AEAD_TLS1_AAD:
1282                 /* Save the AAD for later use */
1283                 if (arg != 13)
1284                         return 0;
1285                 memcpy(c->buf, ptr, arg);
1286                 gctx->tls_aad_len = arg;
1287                         {
1288                         unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
1289                         /* Correct length for explicit IV */
1290                         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1291                         /* If decrypting correct for tag too */
1292                         if (!c->encrypt)
1293                                 len -= EVP_GCM_TLS_TAG_LEN;
1294                         c->buf[arg-2] = len>>8;
1295                         c->buf[arg-1] = len & 0xff;
1296                         }
1297                 /* Extra padding: tag appended to record */
1298                 return EVP_GCM_TLS_TAG_LEN;
1299
1300         default:
1301                 return -1;
1302
1303                 }
1304         }
1305
1306 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1307                         const unsigned char *iv, int enc)
1308         {
1309         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1310         if (!iv && !key)
1311                 return 1;
1312         if (key)
1313                 { do {
1314 #ifdef BSAES_CAPABLE
1315                 if (BSAES_CAPABLE)
1316                         {
1317                         AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1318                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1319                                         (block128_f)AES_encrypt);
1320                         gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
1321                         break;
1322                         }
1323                 else
1324 #endif
1325 #ifdef VPAES_CAPABLE
1326                 if (VPAES_CAPABLE)
1327                         {
1328                         vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks.ks);
1329                         CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
1330                                         (block128_f)vpaes_encrypt);
1331                         gctx->ctr = NULL;
1332                         break;
1333                         }
1334                 else
1335 #endif
1336                 (void)0;        /* terminate potentially open 'else' */
1337
1338                 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
1339                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
1340 #ifdef AES_CTR_ASM
1341                 gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
1342 #else
1343                 gctx->ctr = NULL;
1344 #endif
1345                 } while (0);
1346
1347                 /* If we have an iv can set it directly, otherwise use
1348                  * saved IV.
1349                  */
1350                 if (iv == NULL && gctx->iv_set)
1351                         iv = gctx->iv;
1352                 if (iv)
1353                         {
1354                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1355                         gctx->iv_set = 1;
1356                         }
1357                 gctx->key_set = 1;
1358                 }
1359         else
1360                 {
1361                 /* If key set use IV, otherwise copy */
1362                 if (gctx->key_set)
1363                         CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
1364                 else
1365                         memcpy(gctx->iv, iv, gctx->ivlen);
1366                 gctx->iv_set = 1;
1367                 gctx->iv_gen = 0;
1368                 }
1369         return 1;
1370         }
1371
1372 /* Handle TLS GCM packet format. This consists of the last portion of the IV
1373  * followed by the payload and finally the tag. On encrypt generate IV,
1374  * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
1375  * and verify tag.
1376  */
1377
1378 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1379                 const unsigned char *in, size_t len)
1380         {
1381         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1382         int rv = -1;
1383         /* Encrypt/decrypt must be performed in place */
1384         if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
1385                 return -1;
1386         /* Set IV from start of buffer or generate IV and write to start
1387          * of buffer.
1388          */
1389         if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
1390                                 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
1391                                 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
1392                 goto err;
1393         /* Use saved AAD */
1394         if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
1395                 goto err;
1396         /* Fix buffer and length to point to payload */
1397         in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1398         out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1399         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1400         if (ctx->encrypt)
1401                 {
1402                 /* Encrypt payload */
1403                 if (gctx->ctr)
1404                         {
1405                         size_t bulk=0;
1406 #if defined(AES_GCM_ASM)
1407                         if (len>=32 && AES_GCM_ASM(gctx))
1408                                 {
1409                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,NULL,NULL,0))
1410                                         return -1;
1411
1412                                 bulk = AES_gcm_encrypt(in,out,len,
1413                                                         gctx->gcm.key,
1414                                                         gctx->gcm.Yi.c,
1415                                                         gctx->gcm.Xi.u);
1416                                 gctx->gcm.len.u[1] += bulk;
1417                                 }
1418 #endif
1419                         if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1420                                                         in +bulk,
1421                                                         out+bulk,
1422                                                         len-bulk,
1423                                                         gctx->ctr))
1424                                 goto err;
1425                         }
1426                 else    {
1427                         size_t bulk=0;
1428 #if defined(AES_GCM_ASM2)
1429                         if (len>=32 && AES_GCM_ASM2(gctx))
1430                                 {
1431                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,NULL,NULL,0))
1432                                         return -1;
1433
1434                                 bulk = AES_gcm_encrypt(in,out,len,
1435                                                         gctx->gcm.key,
1436                                                         gctx->gcm.Yi.c,
1437                                                         gctx->gcm.Xi.u);
1438                                 gctx->gcm.len.u[1] += bulk;
1439                                 }
1440 #endif
1441                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1442                                                         in +bulk,
1443                                                         out+bulk,
1444                                                         len-bulk))
1445                                 goto err;
1446                         }
1447                 out += len;
1448                 /* Finally write tag */
1449                 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
1450                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
1451                 }
1452         else
1453                 {
1454                 /* Decrypt */
1455                 if (gctx->ctr)
1456                         {
1457                         size_t bulk=0;
1458 #if defined(AES_GCM_ASM)
1459                         if (len>=16 && AES_GCM_ASM(gctx))
1460                                 {
1461                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,NULL,NULL,0))
1462                                         return -1;
1463
1464                                 bulk = AES_gcm_decrypt(in,out,len,
1465                                                         gctx->gcm.key,
1466                                                         gctx->gcm.Yi.c,
1467                                                         gctx->gcm.Xi.u);
1468                                 gctx->gcm.len.u[1] += bulk;
1469                                 }
1470 #endif
1471                         if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1472                                                         in +bulk,
1473                                                         out+bulk,
1474                                                         len-bulk,
1475                                                         gctx->ctr))
1476                                 goto err;
1477                         }
1478                 else    {
1479                         size_t bulk=0;
1480 #if defined(AES_GCM_ASM2)
1481                         if (len>=16 && AES_GCM_ASM2(gctx))
1482                                 {
1483                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,NULL,NULL,0))
1484                                         return -1;
1485
1486                                 bulk = AES_gcm_decrypt(in,out,len,
1487                                                         gctx->gcm.key,
1488                                                         gctx->gcm.Yi.c,
1489                                                         gctx->gcm.Xi.u);
1490                                 gctx->gcm.len.u[1] += bulk;
1491                                 }
1492 #endif
1493                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1494                                                         in +bulk,
1495                                                         out+bulk,
1496                                                         len-bulk))
1497                                 goto err;
1498                         }
1499                 /* Retrieve tag */
1500                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
1501                                         EVP_GCM_TLS_TAG_LEN);
1502                 /* If tag mismatch wipe buffer */
1503                 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
1504                         {
1505                         OPENSSL_cleanse(out, len);
1506                         goto err;
1507                         }
1508                 rv = len;
1509                 }
1510
1511         err:
1512         gctx->iv_set = 0;
1513         gctx->tls_aad_len = -1;
1514         return rv;
1515         }
1516
1517 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1518                 const unsigned char *in, size_t len)
1519         {
1520         EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
1521         /* If not set up, return error */
1522         if (!gctx->key_set)
1523                 return -1;
1524
1525         if (gctx->tls_aad_len >= 0)
1526                 return aes_gcm_tls_cipher(ctx, out, in, len);
1527
1528         if (!gctx->iv_set)
1529                 return -1;
1530         if (in)
1531                 {
1532                 if (out == NULL)
1533                         {
1534                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
1535                                 return -1;
1536                         }
1537                 else if (ctx->encrypt)
1538                         {
1539                         if (gctx->ctr)
1540                                 {
1541                                 size_t bulk=0;
1542 #if defined(AES_GCM_ASM)
1543                                 if (len>=32 && AES_GCM_ASM(gctx))
1544                                         {
1545                                         size_t res = (16-gctx->gcm.mres)%16;
1546
1547                                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1548                                                         in,out,res))
1549                                                 return -1;
1550
1551                                         bulk = AES_gcm_encrypt(in+res,
1552                                                         out+res,len-res,                                                                gctx->gcm.key,
1553                                                         gctx->gcm.Yi.c,
1554                                                         gctx->gcm.Xi.u);
1555                                         gctx->gcm.len.u[1] += bulk;
1556                                         bulk += res;
1557                                         }
1558 #endif
1559                                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
1560                                                         in +bulk,
1561                                                         out+bulk,
1562                                                         len-bulk,
1563                                                         gctx->ctr))
1564                                         return -1;
1565                                 }
1566                         else    {
1567                                 size_t bulk=0;
1568 #if defined(AES_GCM_ASM2)
1569                                 if (len>=32 && AES_GCM_ASM2(gctx))
1570                                         {
1571                                         size_t res = (16-gctx->gcm.mres)%16;
1572
1573                                         if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1574                                                         in,out,res))
1575                                                 return -1;
1576
1577                                         bulk = AES_gcm_encrypt(in+res,
1578                                                         out+res,len-res,                                                                gctx->gcm.key,
1579                                                         gctx->gcm.Yi.c,
1580                                                         gctx->gcm.Xi.u);
1581                                         gctx->gcm.len.u[1] += bulk;
1582                                         bulk += res;
1583                                         }
1584 #endif
1585                                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
1586                                                         in +bulk,
1587                                                         out+bulk,
1588                                                         len-bulk))
1589                                         return -1;
1590                                 }
1591                         }
1592                 else
1593                         {
1594                         if (gctx->ctr)
1595                                 {
1596                                 size_t bulk=0;
1597 #if defined(AES_GCM_ASM)
1598                                 if (len>=16 && AES_GCM_ASM(gctx))
1599                                         {
1600                                         size_t res = (16-gctx->gcm.mres)%16;
1601
1602                                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1603                                                         in,out,res))
1604                                                 return -1;
1605
1606                                         bulk = AES_gcm_decrypt(in+res,
1607                                                         out+res,len-res,
1608                                                         gctx->gcm.key,
1609                                                         gctx->gcm.Yi.c,
1610                                                         gctx->gcm.Xi.u);
1611                                         gctx->gcm.len.u[1] += bulk;
1612                                         bulk += res;
1613                                         }
1614 #endif
1615                                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1616                                                         in +bulk,
1617                                                         out+bulk,
1618                                                         len-bulk,
1619                                                         gctx->ctr))
1620                                         return -1;
1621                                 }
1622                         else    {
1623                                 size_t bulk=0;
1624 #if defined(AES_GCM_ASM2)
1625                                 if (len>=16 && AES_GCM_ASM2(gctx))
1626                                         {
1627                                         size_t res = (16-gctx->gcm.mres)%16;
1628
1629                                         if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1630                                                         in,out,res))
1631                                                 return -1;
1632
1633                                         bulk = AES_gcm_decrypt(in+res,
1634                                                         out+res,len-res,
1635                                                         gctx->gcm.key,
1636                                                         gctx->gcm.Yi.c,
1637                                                         gctx->gcm.Xi.u);
1638                                         gctx->gcm.len.u[1] += bulk;
1639                                         bulk += res;
1640                                         }
1641 #endif
1642                                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
1643                                                         in +bulk,
1644                                                         out+bulk,
1645                                                         len-bulk))
1646                                         return -1;
1647                                 }
1648                         }
1649                 return len;
1650                 }
1651         else
1652                 {
1653                 if (!ctx->encrypt)
1654                         {
1655                         if (gctx->taglen < 0)
1656                                 return -1;
1657                         if (CRYPTO_gcm128_finish(&gctx->gcm,
1658                                         ctx->buf, gctx->taglen) != 0)
1659                                 return -1;
1660                         gctx->iv_set = 0;
1661                         return 0;
1662                         }
1663                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1664                 gctx->taglen = 16;
1665                 /* Don't reuse the IV */
1666                 gctx->iv_set = 0;
1667                 return 0;
1668                 }
1669
1670         }
1671
1672 #define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1673                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1674                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1675
1676 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1677                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1678 BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1679                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1680 BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1681                 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1682
1683 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1684         {
1685         EVP_AES_XTS_CTX *xctx = c->cipher_data;
1686         if (type != EVP_CTRL_INIT)
1687                 return -1;
1688         /* key1 and key2 are used as an indicator both key and IV are set */
1689         xctx->xts.key1 = NULL;
1690         xctx->xts.key2 = NULL;
1691         return 1;
1692         }
1693
1694 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1695                         const unsigned char *iv, int enc)
1696         {
1697         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1698         if (!iv && !key)
1699                 return 1;
1700
1701         if (key) do
1702                 {
1703 #ifdef AES_XTS_ASM
1704                 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1705 #else
1706                 xctx->stream = NULL;
1707 #endif
1708                 /* key_len is two AES keys */
1709 #ifdef BSAES_CAPABLE
1710                 if (BSAES_CAPABLE)
1711                         xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1712                 else
1713 #endif
1714 #ifdef VPAES_CAPABLE
1715                 if (VPAES_CAPABLE)
1716                     {
1717                     if (enc)
1718                         {
1719                         vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1720                         xctx->xts.block1 = (block128_f)vpaes_encrypt;
1721                         }
1722                     else
1723                         {
1724                         vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1725                         xctx->xts.block1 = (block128_f)vpaes_decrypt;
1726                         }
1727
1728                     vpaes_set_encrypt_key(key + ctx->key_len/2,
1729                                                 ctx->key_len * 4, &xctx->ks2.ks);
1730                     xctx->xts.block2 = (block128_f)vpaes_encrypt;
1731
1732                     xctx->xts.key1 = &xctx->ks1;
1733                     break;
1734                     }
1735                 else
1736 #endif
1737                 (void)0;        /* terminate potentially open 'else' */
1738
1739                 if (enc)
1740                         {
1741                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1742                         xctx->xts.block1 = (block128_f)AES_encrypt;
1743                         }
1744                 else
1745                         {
1746                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
1747                         xctx->xts.block1 = (block128_f)AES_decrypt;
1748                         }
1749
1750                 AES_set_encrypt_key(key + ctx->key_len/2,
1751                                                 ctx->key_len * 4, &xctx->ks2.ks);
1752                 xctx->xts.block2 = (block128_f)AES_encrypt;
1753
1754                 xctx->xts.key1 = &xctx->ks1;
1755                 } while (0);
1756
1757         if (iv)
1758                 {
1759                 xctx->xts.key2 = &xctx->ks2;
1760                 memcpy(ctx->iv, iv, 16);
1761                 }
1762
1763         return 1;
1764         }
1765
1766 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1767                 const unsigned char *in, size_t len)
1768         {
1769         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1770         if (!xctx->xts.key1 || !xctx->xts.key2)
1771                 return 0;
1772         if (!out || !in || len<AES_BLOCK_SIZE)
1773                 return 0;
1774 #ifdef OPENSSL_FIPS
1775         /* Requirement of SP800-38E */
1776         if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1777                         (len > (1UL<<20)*16))
1778                 {
1779                 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1780                 return 0;
1781                 }
1782 #endif
1783         if (xctx->stream)
1784                 (*xctx->stream)(in, out, len,
1785                                 xctx->xts.key1, xctx->xts.key2, ctx->iv);
1786         else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1787                                                                 ctx->encrypt))
1788                 return 0;
1789         return 1;
1790         }
1791
1792 #define aes_xts_cleanup NULL
1793
1794 #define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1795                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1796
1797 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1798 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1799
1800 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1801         {
1802         EVP_AES_CCM_CTX *cctx = c->cipher_data;
1803         switch (type)
1804                 {
1805         case EVP_CTRL_INIT:
1806                 cctx->key_set = 0;
1807                 cctx->iv_set = 0;
1808                 cctx->L = 8;
1809                 cctx->M = 12;
1810                 cctx->tag_set = 0;
1811                 cctx->len_set = 0;
1812                 return 1;
1813
1814         case EVP_CTRL_CCM_SET_IVLEN:
1815                 arg = 15 - arg;
1816         case EVP_CTRL_CCM_SET_L:
1817                 if (arg < 2 || arg > 8)
1818                         return 0;
1819                 cctx->L = arg;
1820                 return 1;
1821
1822         case EVP_CTRL_CCM_SET_TAG:
1823                 if ((arg & 1) || arg < 4 || arg > 16)
1824                         return 0;
1825                 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1826                         return 0;
1827                 if (ptr)
1828                         {
1829                         cctx->tag_set = 1;
1830                         memcpy(c->buf, ptr, arg);
1831                         }
1832                 cctx->M = arg;
1833                 return 1;
1834
1835         case EVP_CTRL_CCM_GET_TAG:
1836                 if (!c->encrypt || !cctx->tag_set)
1837                         return 0;
1838                 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1839                         return 0;
1840                 cctx->tag_set = 0;
1841                 cctx->iv_set = 0;
1842                 cctx->len_set = 0;
1843                 return 1;
1844
1845         default:
1846                 return -1;
1847
1848                 }
1849         }
1850
1851 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1852                         const unsigned char *iv, int enc)
1853         {
1854         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1855         if (!iv && !key)
1856                 return 1;
1857         if (key) do
1858                 {
1859 #ifdef VPAES_CAPABLE
1860                 if (VPAES_CAPABLE)
1861                         {
1862                         vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks.ks);
1863                         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1864                                         &cctx->ks, (block128_f)vpaes_encrypt);
1865                         cctx->str = NULL;
1866                         cctx->key_set = 1;
1867                         break;
1868                         }
1869 #endif
1870                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
1871                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1872                                         &cctx->ks, (block128_f)AES_encrypt);
1873                 cctx->str = NULL;
1874                 cctx->key_set = 1;
1875                 } while (0);
1876         if (iv)
1877                 {
1878                 memcpy(ctx->iv, iv, 15 - cctx->L);
1879                 cctx->iv_set = 1;
1880                 }
1881         return 1;
1882         }
1883
1884 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1885                 const unsigned char *in, size_t len)
1886         {
1887         EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1888         CCM128_CONTEXT *ccm = &cctx->ccm;
1889         /* If not set up, return error */
1890         if (!cctx->iv_set && !cctx->key_set)
1891                 return -1;
1892         if (!ctx->encrypt && !cctx->tag_set)
1893                 return -1;
1894         if (!out)
1895                 {
1896                 if (!in)
1897                         {
1898                         if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1899                                 return -1;
1900                         cctx->len_set = 1;
1901                         return len;
1902                         }
1903                 /* If have AAD need message length */
1904                 if (!cctx->len_set && len)
1905                         return -1;
1906                 CRYPTO_ccm128_aad(ccm, in, len);
1907                 return len;
1908                 }
1909         /* EVP_*Final() doesn't return any data */
1910         if (!in)
1911                 return 0;
1912         /* If not set length yet do it */
1913         if (!cctx->len_set)
1914                 {
1915                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1916                         return -1;
1917                 cctx->len_set = 1;
1918                 }
1919         if (ctx->encrypt)
1920                 {
1921                 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1922                                                 cctx->str) :
1923                                 CRYPTO_ccm128_encrypt(ccm, in, out, len))
1924                         return -1;
1925                 cctx->tag_set = 1;
1926                 return len;
1927                 }
1928         else
1929                 {
1930                 int rv = -1;
1931                 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1932                                                 cctx->str) :
1933                                 !CRYPTO_ccm128_decrypt(ccm, in, out, len))
1934                         {
1935                         unsigned char tag[16];
1936                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1937                                 {
1938                                 if (!memcmp(tag, ctx->buf, cctx->M))
1939                                         rv = len;
1940                                 }
1941                         }
1942                 if (rv == -1)
1943                         OPENSSL_cleanse(out, len);
1944                 cctx->iv_set = 0;
1945                 cctx->tag_set = 0;
1946                 cctx->len_set = 0;
1947                 return rv;
1948                 }
1949
1950         }
1951
1952 #define aes_ccm_cleanup NULL
1953
1954 BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1955 BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1956 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1957
1958 typedef struct
1959         {
1960         union { double align; AES_KEY ks; } ks;
1961         /* Indicates if IV has been set */
1962         unsigned char *iv;
1963         } EVP_AES_WRAP_CTX;
1964
1965 static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1966                         const unsigned char *iv, int enc)
1967         {
1968         EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
1969         if (!iv && !key)
1970                 return 1;
1971         if (key)
1972                 {
1973                 if (ctx->encrypt)
1974                         AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
1975                 else
1976                         AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
1977                 if (!iv)
1978                         wctx->iv = NULL;
1979                 }
1980         if (iv)
1981                 {
1982                 memcpy(ctx->iv, iv, 8);
1983                 wctx->iv = ctx->iv;
1984                 }
1985         return 1;
1986         }
1987
1988 static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1989                 const unsigned char *in, size_t inlen)
1990         {
1991         EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
1992         size_t rv;
1993         if (inlen % 8)
1994                 return 0;
1995         if (!out)
1996                 {
1997                 if (ctx->encrypt)
1998                         return inlen + 8;
1999                 else
2000                         return inlen - 8;
2001                 }
2002         if (!in)
2003                 return 0;
2004         if (ctx->encrypt)
2005                 rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
2006                                                 (block128_f)AES_encrypt);
2007         else
2008                 rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
2009                                                 (block128_f)AES_decrypt);
2010         return rv ? (int)rv : -1;
2011         }
2012
2013 #define WRAP_FLAGS      (EVP_CIPH_WRAP_MODE \
2014                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
2015                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
2016
2017 static const EVP_CIPHER aes_128_wrap = {
2018         NID_id_aes128_wrap,
2019         8, 16, 8, WRAP_FLAGS,
2020         aes_wrap_init_key, aes_wrap_cipher,
2021         NULL,   
2022         sizeof(EVP_AES_WRAP_CTX),
2023         NULL,NULL,NULL,NULL };
2024
2025 const EVP_CIPHER *EVP_aes_128_wrap(void)
2026         {
2027         return &aes_128_wrap;
2028         }
2029
2030 static const EVP_CIPHER aes_192_wrap = {
2031         NID_id_aes192_wrap,
2032         8, 24, 8, WRAP_FLAGS,
2033         aes_wrap_init_key, aes_wrap_cipher,
2034         NULL,   
2035         sizeof(EVP_AES_WRAP_CTX),
2036         NULL,NULL,NULL,NULL };
2037
2038 const EVP_CIPHER *EVP_aes_192_wrap(void)
2039         {
2040         return &aes_192_wrap;
2041         }
2042
2043 static const EVP_CIPHER aes_256_wrap = {
2044         NID_id_aes256_wrap,
2045         8, 32, 8, WRAP_FLAGS,
2046         aes_wrap_init_key, aes_wrap_cipher,
2047         NULL,   
2048         sizeof(EVP_AES_WRAP_CTX),
2049         NULL,NULL,NULL,NULL };
2050
2051 const EVP_CIPHER *EVP_aes_256_wrap(void)
2052         {
2053         return &aes_256_wrap;
2054         }
2055
2056 #endif